Corvus.Deployment

0.4.3

functions/azure/aad/Assert-AzureAdApiPermissions.ps1

                                # <copyright file="Assert-AzureAdApiPermissions.ps1" company="Endjin Limited">

# Copyright (c) Endjin Limited. All rights reserved.

# </copyright>

<#

.SYNOPSIS

Ensures that an AAD application has the specified API permissions.

.DESCRIPTION

Supports assigning API permissions (by name) to an AAD application - both 'Application' and 'Delegated' permissions.

NOTE: This function currently supports assigning permissions to the 'Microsoft Graph' and the now deprecated 'Azure Graph' APIs.

.PARAMETER ApiName

The name of the API - 'AzureGraph' or 'MSGraph'.

.PARAMETER ApplicationPermissions

The list of 'Application' (or 'AppRole') permissions to be assigned. (e.g. 'Application.ReadWrite.OwnedBy')

.PARAMETER DelegatedPermissions

The list of 'Application' (or 'OAuth') permissions to be assigned. (e.g. 'Application.Read.All')

.PARAMETER ApplicationId

The ApplicationID or ClientId of the AAD identity who requires the assignments.

#>

function Assert-AzureAdApiPermissions

{

    [CmdletBinding(SupportsShouldProcess)]

    param (

        [Parameter(Mandatory=$true)]

        [ValidateSet("AzureGraph","MSGraph")]

        [string] $ApiName,

        [Parameter()]

        [string[]] $ApplicationPermissions,

        [Parameter()]

        [string[]] $DelegatedPermissions,

        [Parameter(Mandatory=$true)]

        [guid] $ApplicationId

    )

    # Check whether we have a valid AzPowerShell connection, but no subscription-level access is required

    _EnsureAzureConnection -AzPowerShell -TenantOnly -ErrorAction Stop | Out-Null

    [hashtable[]] $accessRequirements = @()

    foreach ($permission in $ApplicationPermissions) {

        $permisssionId = _getApiPermissionId -ApiName $ApiName -Permission $permission -Type Application

        $accessRequirements += @{Id=$permisssionId; Type="Role"}

    }

    foreach ($permission in $DelegatedPermissions) {

        $permisssionId = _getApiPermissionId -ApiName $ApiName -Permission $permission -Type Delegated

        $accessRequirements += @{Id=$permisssionId; Type="Scope"}

    }

    $app = Get-AzADApplication -ApplicationId $ApplicationId

    if ($PSCmdlet.ShouldProcess($ApplicationId)) {

        $appManifest = Assert-RequiredResourceAccessContains `

                            -App $app `

                            -ResourceId (_getApiId -ApiName $ApiName) `

                            -AccessRequirements $accessRequirements

    }

}